Changing existing pass phrase to non obvious hard to guess phrase
Here is what I am trying to do. I have a program which stores data into MS Access file with database password. All data in table is encrypted by using user name ans password. They both use the same password.
I am trying to change the entered password so it's different from original because I want it to be different from MS Access database password and encryption password.
Two reasons for that. First, I don't want user to modify the content of MS Access file. Changing the original password to something else would stop them from doing so because they won't know the actual password to DB. Plus, data will be encrypted, so if user change the data into non-encrypted data it will break my program. Second, lets assume that MS Access file is the weakest link in security of my program. Knowing password to database file will make easier for attacker to break in and decrypt my data. But he don't know the user name, yet.
So how I can change a password to be something else which would be hard to guess of how it was changed into new one?
Database password in MS Access 2007 must be not longer than 20 characters.
I do know that I can read the program by using HEX editor, ect, so I want the change to stay secret. I can not encrypt it, because it will take more space than 20 characters.
Assume that only a file with data is stolen.
Depends on your users' computer knowledge level. If you've just 'usual' office workers then it might be enough to hash the password via MD5 and take first 20 characters.
For your second edit: are your users actually capable of reverse-engineering your software? Sure it's easier for .NET-based applications, but still it's not a thing someone will do without actual purpose.
If you want to install protection so someone stealing this file won't be able to read it then you need to specify more details of supposed theft. For example, cases when attacker gets only the Access file and when the attacker physically steals HDD with all your software to reverse-engineer etc. are completely different. Your protection should match supposed threat level - and before you start planning any countermeasures you'll need to specify this supposed level.